China funds a massive corporate breakthrough |
Researchers have launched a large-scale hacking campaign that uses advanced tools and technology to break into global corporate networks.
The hacker belongs to a well-known group funded by the Chinese government and is equipped with special tools that are ready for use.
One such tool takes advantage of Zerologon, the name of a Windows server vulnerability patched in August that could give attackers administrative privileges on vulnerable systems.
Symantec uses the codename Cicada for the corporation, which is generally funded by the Chinese government.
The group also carries APT10, Stone Panda, and Cloud Hopper titles from other research organizations.
The organization has been active in hacking and espionage since at least 2009 and it is specifically targeting companies with ties to Japan.
The companies targeted by recent campaigns are in the United States and other countries. However, all of these companies are related to Japan or Japanese companies.
The researchers wrote: The organizations affiliated with Japan must remain vigilant as they are clearly the main targets of this complex organization and the automobile industry appears to be the main target of this attack.
They added: Given the wide variety of industries targeted by these attacks, Japanese organizations from all walks of life must realize that they are being subjected to such activity.
The attacks took advantage of the sideloading of DLL files on a massive scale. This technique occurs when an attacker replaces a legitimate Windows DLL file with a malicious file.
Attackers use this technology to introduce malware into legitimate processes. Hence, they can prevent security software from detecting intruders.
The event also used tools that can use the Netlogon protocol used by Windows servers to allow users to connect to the network.
Unauthenticated people can use the Netlogon protocol to access an Active Directory domain controller, which protects all machines on the network.
Microsoft resolved a serious privilege escalation issue in August. However, this vulnerability is still used to harm organizations that have not yet installed the update.
The FBI and Department of Homeland Security are calling on companies and organizations to repair damaged systems.
Active Directory domain controllers and file servers were among the devices at risk in the attack detected by Symantec.
The target of the attack extended to multiple industries, including automobiles, automakers, and component suppliers, demonstrating that this industry is important to the attackers.
The industries targeted also include apparel, electronics, engineering, general trade, industrial products, and pharmaceuticals.
Symantec links the attack to the Cicada group, based on digital fingerprints in malware and attack code against global companies.